The Gentle Art of Firefox Tuning (and Taming)

Linux users tend, I've noticed, to complain about suckiness on the Web
itself, and in their own Web browsers — browser bloat, sites going
all-Flash, brain damage inherent in AJAX-oriented "Web 2.0" sites[1], and
death-by-JavaScript nightmares. However, the fact is: We've come a long
way.

In the bad old days, the best we had was the crufty and proprietary
Netscape Communicator 4.x kitchen sink^W^W"communications suite"
into which Netscape Navigator 3.x, a decent browser for its day, had
somehow vanished. That was dispiriting, because an increasing number of
complex Web pages (many of them Front Page-generated) segfaulted the
browser immediately, and Netscape Communications, Inc. wasn't fixing it.

Following that was a chaotic period: Mozilla emerged in 1998, with Galeon
as a popular variant, and Konqueror as an independent alternative from the
KDE/Qt camp. Mozilla developers made two key decisions, the first being
the move in October 1998 to write an entirely new rendering engine,
which turned out to be a huge success. The rendering engine is now named
Gecko (formerly Raptor, then NGLayout), and produced the first
stunningly good, modern, world-class browsers, the Mozilla 0.9.x series,
starting May 7, 2001. I personally found this to be the first time it
was truly feasible to run 100% open source software without feeling like
a bit of a hermit. So, I consider May 7, 2001 to be open source's
Independence Day.

The second turning point was in 2003, with the equally difficult decision
that Mozilla's feature creep needed fixing by ditching the "Mozilla
Application Suite" kitchen-sink approach and making the browser separate
again: The Mozilla Project thus produced Firefox (initially called
"Phoenix") as a standalone browser based on a new cross-platform front-end
/ runtime engine called XULRunner (replacing the short-lived Gecko Runtime
Environment). At the same time, Galeon faltered and underwent a further
schism that produced the GNOME-centric, sparsely featured Epiphany browser,
and the XULRunner runtime's abilities inspired Conkeror (a light
browser written mostly in JavaScript), SeaMonkey (a revival of the
Communicator kitchen-sink suite), and Mobile Firefox (formerly Fennec,
formerly Minimo).

Anyway, defying naysayers' expectations, Firefox's winning feature
has turned out to be its extensions interface, usable by add-on code
written in XULRunner's XUL scripting language. At some cost in browser
code bloat[2]
when you use it extensively, that interface has permitted development
of some essential add-ons, with resulting functionality unmatched by any
other Web browser on any OS. In this article, I detail several
extensions to tighten up Firefox's somewhat leaky protection of your
personal privacy, and protect you from Web annoyances. (For reasons
I've detailed
elsewhere, you should if possible get software from distro packages
rather than "upstream" non-distro software authors, except in very
exceptional circumstances. So, even though I give direct download links
for three Firefox extensions, below, please don't use those
unless you first strike out with your Linux distribution's own
packages.[1]) I also outline a number of modifications
every Firefox user should consider making to the default configuration,
again with similar advantages in user privacy and tightening of security
defaults. For each such change, I will cite the rationale, so you can
adjust your paranoia to suit.

Here begins the (arguable) mild-paranoia portion of our proceedings:
Have you ever noticed how eager Web-oriented companies are to help you?
You suddenly discover that your software goes out and talks across the
Internet to support some "service" you weren't aware you wanted,
involving some commercial enterprise with whom you have no business
relations. There's hazy information about this-or-that information
being piped out to that firm; you're a bit unclear on the extent of it
— but you're told it's all perfectly fine, because there's a
privacy policy.

There's a saying in the Cluetrain Manifesto, written in part by longtime
Linux pundit Doc Searls, that "Markets are conversations." That is,
it's a negotiated exchange: You give something; you get something.
Sometimes you give information, and, oddly enough, Linux people seem to
often miss the key point: information has value, even yours. In a
market conversation, you're supposed to be able to judge for yourself
whether you want what's being offered, and if you want to donate
the cost thereof (such as some of your data). If you have no use
for what's being offered, you can and should turn off the "service" --
and that's what this article will cover (or at least let you decide what
"services" to participate in, instead of letting others decide for you).

The Essential Extensions

NoScript: The name is slightly misleading: This marvelous
extension makes JavaScript, Java, Flash, and a variety of other possibly
noxious and security-risking "rich content" be selectively disabled
(and initially disabled 100% by default), with you being able to enable
on a site-by-site basis, via context menu, which types of scripting you
really want to execute. More and more, those scripts are some variety
of what are euphemistically called "Web metrics", i.e., data mining
attempts to spy on you and track your actions and movements as you
navigate the Web. NoScript makes all of that just not work, letting you
run only the JavaScript, Flash, etc. that you really want. As a
side-benefit, this extension (like many of the others cited) in effect
makes the Web significantly faster by reducing the amount of junk code
your browser is obliged to process. Available from: http://noscript.net/

Adblock Plus ("ABP"): This extension does further filtering, making
a variety of noxious banner ads and other advertising elements
just not be fetched at all. Highly recommended, though some people
prefer the preceding "Adblock" extension, instead. Privacy
implication? Naturally, additional data mining gets disposed of, into
the bargain. Available from:
http://adblockplus.org/en/

ABP's effectiveness can be substantially enhanced through adding subscriptions to
maintained ABP blocklists. I've found that a combination of EasyList and EasyPrivacy is
effective and reliable, and recommend them. (EasyList is currently
an ABP default.) Since these are just URL-pattern-matching blocklists,
subscriptions are not as security-sensitive as are Firefox extensions
themselves, but you should still be selective about which ones to adopt.

CustomizeGoogle: This extension largely defangs Google search
engine lookup of its major advertising and data-mining features, makes
your Google preferences persistent for a change, adds links to
optionally check alternative search engines' results on the same
queries, anonymises the Google userid string sent when you perform a
Google Web search (greatly reducing the ability of Google's data
mining to link up what subjects you search for with who you are), etc.
Be aware that you'll want to go through CustomizeGoogle's preferences
carefully, as most of its improvements are disabled by default.
Available from:
http://www.customizegoogle.com/

For the record, I like the Google, Inc. company very much, even
after its 2007 purchase of notorious spying-on-customers firm
DoubleClick, Inc., which served as a gentle reminder that the parent
firm's core business, really, intrinsically revolves around data
mining/collection and targeted advertising. What I (like, I assume,
LG readers) really want is to use its services only at my
option, not anyone else's, and to negotiate what I'm giving them, the
Mozilla Corporation, and other business partners, rather than having it
taken behind my back. For example, Ubuntu's first alpha release of
10.04 "Karmic Koala" included what Jon Corbet at LWN.net called "Ubuntu's multisearch surprise":
a custom Firefox search bar that gratuitously sent users to a Google
"search partner" page to better (and silently, without disclosure)
collect money-making data about what you and I are up to. (This feature
was removed following complaints, but the point is that we the users
were neither informed nor asked about whether we wanted to be monitored
a bit more closely to make this "service" possible.)

User Agent Switcher: This extension doesn't technically
concern security and privacy, exactly, but is both useful in itself and
as a way to make a statement to Web-publishing companies about
standards. It turns out that many sites query your browser about its
"User Agent" string, and then decide on the basis of the browser's
answer whether to send it a Web page or not — and what Web page to
send. User Agent Switcher lets you pick dynamically which of several
popular Web browsers you want Firefox to claim to be, or you can write
your own. I usually have mine send "W3C standards are important.
Stop f---ing obsessing over user-agent already", for reasons my friend Karsten
M. Self has
cited:

In the finest Alice's Restaurant tradition, if one person does this,
they may think he's sick, and they'll deny him the Web page. If two
people do it, in harmony, well, they're free speech fairies, and they
won't serve them either. If three people do it, three, can you imagine,
three people setting their user-agent strings to "Stop f---ing obsessing
over user-agent...". They may think it's an organization. And can you
imagine fifty people a day? Friends, they may think it's a movement. And
that's what it is... If this string shows up in enough Web server logs,
the message will be felt.

I list a number of other extensions that might be worth considering
on my personal pages.

[ I can also recommend the Web Developer toolbar extension.
Even if you're not a Web developer, the tool can help you to deactivate
obnoxious style sheets and layouts. In addition, you can instantly clear
all cookies and HTTP authentications for the site you are viewing
(by using the menu item Miscellaneous/Clear Private Data/...).
-- René ]

Configuration of the Browser Itself

Edit: Preferences: Content: Select Advanced for "Enable JavaScript"
and deselect all. Reason: There's no legitimate need for JavaScript to
fool with those aspects of your browser. Then uncheck Java, unless you
actually ever use Java applets in your Web browser. (You can always
re-enable if you ever need it.)

Edit: Preferences: Privacy: Uncheck "Accept third-party
cookies." Reason: I've only seen one site where such were essential
to the site's functionality, and even then it was clearly also being
used for data mining. Enable "Always clear my private data when I close
Firefox". Click "Settings" and check all items. Reason: When you
ask to delete private data, it should actually happen. Disable
"Remember what I enter in forms and the search bar". Reason: Your
prior forms data is often security-sensitive. Consider disabling
"Keep my history for n days" and "Remember what I've downloaded".
Reason: You don't get much benefit from keeping this private data
around persistently, so why log it?

Edit: Preferences: Security: Visit "Exceptions" to "Warn me
when sites try to install add-ons" and remove all. Reason: You should
know. Disable "Tell me if the site I'm visiting is a suspected attack
site" and "Tell me if the site I'm visiting is a suspected forgery".
Reason: Eliminate periodic visits to an anti-phishing, anti-malware
nanny site. Really, can't you tell EBay and your bank from fakes, and
can't you deal with malware by just not running it? "Remember passwords
for sites": If you leave this enabled, remember that Firefox will leave
them in a central data store that is only moderately obscured, and then
only if you set a "master password". Don't forget, too, that even the
list of sites to "Never Save" passwords for, which isn't obscured at
all, can be very revealing. The cautious will disable this feature
entirely — or, at minimum, avoid saving passwords for any site that
is security-sensitive.

Edit: Preferences: Advanced On General tab, enable
"Warn me when Web sites try to redirect or reload the page". Reason:
You'll want to know about skulduggery. On Update tab, disable
"Automatically check for updates to: Installed Add-ons" and
"Automatically check for updates to: Search Engines", and select
"When updates to Firefox are found: Ask me what I want to do".
Reason: You really want those to happen when and if you choose.

Now we head over to URL "about:config". You'll see the
condescending "This might void your warranty!" warning. Select the
cutesy "I'll be careful, I promise!" button and uncheck "Show this
warning next time". Reason: It's your darned browser config.
Hypothetically if you totally screw up, at worst you can close Firefox,
delete ~/.mozilla/firefox/ (after saving your bookmarks.html), and try
again.

Set "browser.urlbar.matchOnlyTyped = true": This disables the
Firefox 3.x "Awesome Bar" that suggests searches in the Search box based
on what it learns from watching your bookmarks and history, which is
not (in my opinion) all that useful, and leaves information on your
browsing habits lying around.

Set "browser.ssl_override_behavior = 2" and
"browser.xul.error_pages.expert_bad_cert = true": This reverts
Firefox's handling of untrusted SSL certificates to the 2.x behaviour.
Reason: The untrusted-SSL dialogues in Firefox 3.x
are supremely annoying, "Do you want to add an exception?" prompt and
all.

Set "xpinstall.enabled = false": Globally prevents Firefox from
checking for updates to Firefox and installed extensions. Reason:
This really should happen on your schedule, not Firefox's.

Set "permissions.default.image = 3": This control specifies which
images (picture elements) to get, where 1 = all regardless of origin
(default), 2 = block all, 3 = fetch only from the site you're browsing.
Reason: Images from third-party sites are banner ads or Web bugs, 99%
of the time. Note that the ability to block third-party images used to
be part of regular Mozilla/Firefox preferences, but was banished to
"about:config" as part of a general dummying down.

Set "network.dns.disableIPv6 = true": Prevents Firefox from
attempting IPv6 lookups. Reason: At the moment, for most people,
there's no point to this function, and it wastes network traffic trying
IPv6 before falling back to regular IPv4. If the world changes, you can
toggle this setting back.

Set "extensions.blocklist.enabled" to disabled: Stops Firefox
from repeatedly polling a remote site for a malware blacklist.
Reason: Wasted traffic, and usual logic about malware applies.

Set the three "browser.contentHandlers.types.[012].uri" items to
blank: Stops Firefox from repeatedly polling Bloglines, My Yahoo, and
Google for RSS feeds that you don't necessarily care about at all.
Reason: Wasted network traffic.

Set "plugin.default_plugin_disabled = false": This prevents
Firefox's libnullplugin.so from popping up annoying dialogues suggesting
you go hunting for plugins/extensions every time you encounter a file
on the Web with an unfamiliar MIME type. Reason: Stops Firefox's
repetitive suggestions (in a yellow bar at the top of the page) that you
install yet more plugins/extensions.

Set "geo.enabled" to disabled: This is yet another Google
service that they swear up and down is absolutely not a privacy
violation, and they have a privacy policy, etc. In this case, it's
"location-aware
browsing", where, on "location-aware Web sites", Google will
estimate your latitude/longitude and provide enhanced services
such as lo! there's a pizza restaurant on the next block. Reason:
Obvious, I imagine. Disabling that key makes the feature go away
entirely.

Other Ideas

We've already lightly touched on a favourite tinfoil-hat obsession: browser
cookies. Like many other browser features, cookies have a fine
legitimate purpose, that of offering a persistent-data store for what's
normally a stateless protocol (HTTP), e.g., for session data. Of
course, the feature was abused about a millisecond after its invention,
but the aforementioned unchecking of "Accept third-party cookies" in my
view controls such abuse well enough.

What's often neither understood nor controlled are Flash cookies,
which Adobe calls
"Local Shared Objects",
a hidden datastore, holding up to 100kB per domain, maintained by the
local Adobe (ex-Macromedia) Flash interpreter under your
~/.macromedia tree, in files with .sol filename extensions. What data?
Anything and everything, but mostly the usual obnoxious per-user tracking,
except with 25 times the storage and effectively no scrutiny. Bad? You bet.
Researchers
have found that companies have taken to using Flash cookies not only to
track users but also to re-create, behind the user's back, regular
browser cookies he or she has deliberately deleted -- invisibly to
browser privacy controls and outside their reach. It should also be
noticed that data in Flash cookies are also queryable by any other
Flash-enabled application.

The standard recommendation to control Flash cookies (which, of course,
are far less of an issue with NoScript and Adblock Plus than without
them) is another Firefox extension,
BetterPrivacy
— but I would like to specifically disrecommend that solution,
because BetterPrivacy is proprietary software for which source code is
never even available for inspection. Can you imagine going to all
the trouble of running an open-source browser on an open-source OS, and
then throwing in a "hey, trust me" proprietary binary-only module from
someone you don't even know?

A new, genuinely open source alternative is Greg Yardley's
Objection, which seems worth
looking into. Alternatively, it seems almost as easy to write a dirt-simple
weekly cronjob to delete unwanted Flash cookies by filename. (E.g.,
you might want to keep certain domains' cookies, that seem to hold only
innocuous Flash-related settings such as Flash games' settings and some
sites' login data, and lop off the rest.)

Adobe Systems, Inc., themselves, offer a third alternative: Visiting a
set of Adobe Web pages called
Flash
Settings Manager lets you view and control Flash Cookies via —
guess what — a Flash-based control panel the company provides
for that purpose. Use it if you like. Personally, I find the notion of
using Adobe's help to control a privacy risk they created to be...
unwise, on balance — although viewing its settings was enlightening
and worthwhile.

There are plenty of aesthetic improvements one might also
make to clean up Firefox's appearance, but those are obviously highly
individual, so I'll omit my prejudices in that department. Suffice it
to say that delving through all of the Edit: Preferences and the View
menu will be well worth your time.

Acknowledgements: All of the above text is original, but many ideas about
Firefox configuration were taken from bloggers Uwe
Hermann and Wouter
Verhelst and several anonymous commentators, to all of whom I'm
grateful.

[1] IT
columnist David Berlind defined "Web 2.0" as "When the Back button
doesn't work".

[2]:
Firefox bloat generally is a real concern. Starting around 2006,
Jason Halme has shown starkly just how severe the bloat is, by releasing
an optimally configured and compiled (but proprietary-licensed) variant called
Swiftfox, which is markedly faster
in launching and rendering, and also includes protection against buffer
overflow attacks.

Probably inspired by Halme's work, developer "SticKK" has released
a very similar variant under Firefox's original MPL 1.1 open-source
licensing, called Swiftweasel,
which is well worth considering instead of vanilla Firefox, and is
packaged by common Linux distributions. It's fully compatible with
Firefox extensions. (If you're a Mozilla Thunderbird user, "SticKK's"
Swiftdove lends the same advantages to that program, too.)

[3]:
For example, Debian and Ubuntu both offer maintained packages for Adblock,
Adblock Plus, NoScript, and the Web Developer extension mentioned by
René Pfeiffer. A package of User Agent Switcher is currently
proposed. And even Fedora, not the most lavish of
desktop distributions, at least packages NoScript. So, check your
distribution-of-choice's package listings.

Linux and BSD users' ability to rely on their distribution package maintainers
as gatekeepers against security problems, quality problems, and even against
misbehaviour "upstream"
(a term used to refer to original authors' source code that
is selectively picked up and packaged, often with some tweaks, by Linux
distributions) gives them a huge advantage that MS-Windows and MacOS users
can only dream of. A decade-plus of experience suggests you're greatly
safer when you rely on that gatekeeping function, and go outside that
regime to "upstream" sources only with great caution if ever.

"Upstream sources" of what, you might ask? Firefox extensions would
be one excellent example. Make no mistake: These are programs, and you
need to be on-guard. Browse the listings at Mozilla Organization's
https://addons.mozilla.org/
"portal" site skeptically, and you soon notice that the site says
nothing about each entry's licensing or source code, and instead rushes
you towards the big "Download Now!" button. In fact, many extensions
listed turn out, upon more-careful scrutiny, to be proprietary,
binary-only software that isn't audited by anyone you would have
confidence in and never will be. In any situation where you find
yourself casually expected to run code from nobody in particular --
a fair description of unauditable proprietary extensions from people
you've never heard of -- your first reaction should be "No. Why on
earth would I?" All of the extensions René and I have cited are
genuine open source, and from people with established (generally good)
reputations, notwithstanding which you should look among your
distribution's packages for them first, before resorting to
fetching "upstream" code from the authors' sites.

The advantage: The distribution package maintainer should be accepting
code from upstream only when it's been checked for quality, made to
comply with your Linux distribution's policies, not a buggy beta
(not all new code from upstream is necessarily an improvement),
read to (with luck) catch any unpleasant surprises, and verified to be
signed by the real upstream coder to eliminate the possibility of
trojaned (booby-trapped) substitute code inserted by malign parties
in place of the author's real code. Plus, you will get subsequent updates
semi-automatically in a rational fashion, with your regular package
updates, as a harmonised part of your Linux distribution.

Other examples of third-party additions include Web apps enticingly offered
as directly downloadable .tar.gz (or zip) archives, all manner of third-party
.deb / .rpm packages, alleged screensavers, alleged Internet poker
games, alleged video codecs, alleged desktop themes, alleged
"birthday cards", alleged ancillary software, etc. You need to be on
your guard: You might not be worried about the security of screensaver
modules because they're just gloried wallpaper, but suppose one is
published on a community site in .deb format (and you're on, say,
Ubuntu). You need to install that with your software package installer,
using sudo or root authority, right? Oops, bad idea, because that means
you'll be running any included scripts with root authority, and how much
did you trust the unknown person behind this screensaver? This
scenario's already happened,
and unwary novices shot themselves in the foot by installing trojaned
software -- by trusting an alleged screensaver from nobody in particular
who'd listed it on gnome-look.org.

It's important to realise that no security protections can protect a
user who defeats his/her system's security by running untrustworthy
software from nowhere in particular. If you go out of your way to fetch
that metaphorical gun and aim it at your feet, the resulting hole in
your pedal extremity is your responsibility. The best the Linux
community can do is help train you to know when your danger alarms
should be ringing loudly -- and going outside your system's packaged
software regime to any source of third-party software is one of the
chief signs of danger.

[4] My
somewhat sarcastic reference to "rich computing experience" harks back to
an encounter Microsoft Corporation had with the technical community:
Specifically, Microsoft developer Bob Atkinson noticed in 1997 some
critical discussion in RISKS
Digest of his "Authenticode" algorithm for ensuring that ActiveX
controls in Microsoft Internet Explorer are "safe" on account of being
cryptographically signed with (what you hope is) an unrevoked, valid sender
key. He reassured RISKS
regulars that Microsoft wanted merely to ensure a "rich computing
experience", that Microsoft had all the problems covered, and that
everything would be fine. His logic and methods were then expertly but
politely pureed over a ten-day period; the comments are popcorn-worthy,
especially one fine summary by
Peter Gutmann of New Zealand.

Rick has run freely-redistributable Unixen since 1992, having been roped
in by first 386BSD, then Linux. Having found that either one
sucked less, he blew
away his last non-Unix box (OS/2 Warp) in 1996. He specialises in clue
acquisition and delivery (documentation & training), system
administration, security, WAN/LAN design and administration, and
support. He helped plan the LINC Expo (which evolved into the first
LinuxWorld Conference and Expo, in San Jose), Windows Refund Day, and
several other rabble-rousing Linux community events in the San Francisco
Bay Area. He's written and edited for IDG/LinuxWorld, SSC, and the
USENIX Association; and spoken at LinuxWorld Conference and Expo and
numerous user groups.

His first computer was his dad's slide rule, followed by visitor access
to a card-walloping IBM mainframe at Stanford (1969). A glutton for
punishment, he then moved on (during high school, 1970s) to early HP
timeshared systems, People's Computer Company's PDP8s, and various
of those they'll-never-fly-Orville microcomputers at the storied
Homebrew Computer Club -- then more Big Blue computing horrors at
college alleviated by bits of primeval BSD during UC Berkeley summer
sessions, and so on. He's thus better qualified than most, to know just
how much better off we are now.

When not playing Silicon Valley dot-com roulette, he enjoys
long-distance bicycling, helping run science fiction conventions, and
concentrating on becoming an uncarved block.